Security Concerns on Cloud

July 28, 2017 10:31 am Published by Leave your thoughts

WHAT IS THE CLOUD?

The cloud is a term that many people find difficult to describe, even though most everyone uses it. If you use Google Cloud, AWS, Microsoft Azure or any sort of online storage, you’re already on the cloud. Savvy businesses use the cloud for their infrastructure because there are so many advantages. So what is it? The name almost feels like you’re shooting off information into the sky, but that is not actually case.

The cloud isn’t one physical thing. It’s a whole network of servers – and each is responsible for a different task. For example, if you take a picture, it is stored on your smartphone. You are not using the cloud. If you upload the photo to Instagram, you are uploading the picture to a remote server. You are using the cloud. Some servers on the cloud provide an online service (Adobe Creative Cloud, etc.) and others are for storing data that helps your business run (Google Drive, Oracle Cloud, etc.).

WHY DO WE USE THE CLOUD?

According to a 2014 survey by Harris Interactive, 39 percent of Americans use the cloud, and 86 percent of those Americans say it has improved the life of those who work. In 2017, that number has only grown.

The chart above shows some of the top benefits of cloud usage. Nearly half of those surveyed believe it makes sharing easier (it definitely does) and helps them feel better about data back-ups (having just one copy on one, physical server is dangerous).

While cloud computing may save your business money and make it easier to share documents among an entire team, it isn’t all roses and sunshine. There can be some major, major cloud computing security issues if you’re not careful. To combat these issues, you’ve got to know what they are and approach them head-on.

THREATS

There are numerous security issues for cloud computing as it encompasses many technologies including networks, databases, operating systems, virtualization, resource scheduling, transaction management, load balancing, concurrency control and memory management. Therefore, security issues for many of these systems and technologies are applicable to cloud computing. For example, the network that interconnects the systems in a cloud has to be secure and mapping the virtual machines to the physical machines has to be carried out securely. Data security involves encrypting the data as well as ensuring that appropriate policies are enforced for data sharing. Various security concerns in a cloud computing environment are as under:-

DATA BREACHES

Just like traditional corporate security networks, data stored on cloud services can be a major target which can be devastating if you’re a business with a large client base. Your data needs to be secure, and that’s the bottom line, but we’ve seen horrible breaches happen in recent years that tarnished brands and left customers’ sensitive information exposed.

Most recently, this happened at the massive web-hosting service Weebly, which compromised millions of individuals and businesses who ran their websites through the service. In October of 2016, over 43.5 million accounts were affected, and information such as user names, email addresses, passwords and IP addresses were exposed. Thankfully, Weebly said that they don’t believe any credit card information was taken, but if it was, it could have been disastrous.  There’s a whole lot someone could do with email addresses and passwords, and you can’t allow your business to be exposed that way.

COMPROMISED CREDENTIALS AND BROKEN AUTHENTICATION

The CSA listed compromised credentials and broken authentication as their number two threat to cloud services. This falls under the umbrella of data breaches because it’s basically the Achilles heel of a number of cloud-based services. I already touched upon the idea of two-factor authentication, and how multifactor authentication is the best way to protect your information, but did you know your business practices – not the company who runs the cloud-based service — may be putting your business at risk as well?

HACKED INTERFACES AND APIS

An API is a set of routines, protocols and tools that help build software applications – some of these are customizable, some of these are simply used as they are. Almost every cloud service offers APIs which allow IT teams to manage and interact with the cloud service. Alternatively, user interfaces help IT teams and regular employees manage, monitor and orchestrate specific functions of the cloud service they use. If one of these gets hacked, it’s basically an open door to your most sensitive information. A cloud service is only as secure as its API.

EXPLOITED SYSTEM VULNERABILITIES

Programs have bugs, and that’s nothing new. Patches are released every day that help fix problems in various apps. One of the best parts about using a cloud-based service is that you can get regular bug fixes as they’re created. Just like traditional software, bugs are a major cloud computing data security issue. Some bugs are exploitable, and as organizations use the cloud to share memory, databases and other resources in close proximity to another, the vulnerabilities become more enticing for hackers.

ACCOUNT HIJACKING

Have you ever gotten an e-mail saying someone logged into your Google account from another country, but Google had blocked it? This is some of the security Google has in place to prevent your account from being hijacked without your knowledge.

Since the beginning of the Internet, phishing and fraud have been happening. If you move your business to the cloud, you are opening your business up to everything terrible the Internet has been doing for the last 30 years. Yes, a hacker can hijack your account, watch your online activities, make or manipulate transactions, modify your data and even use your account to launch attacks on other unsuspecting individuals. The hacker can be a stranger, a disgruntled past employee, or a shady friend-of-a-friend.

MALICIOUS INSIDERS

Cloud services can’t prevent malicious insiders on their own. This falls mainly on your company policies, but is still considered a vulnerability within cloud-based services. It used to be that you fire an employee and make them immediately leave the office without touching their computer. This prevented them from accessing company servers and stealing confidential and sensitive information. With the cloud, employees can access information remotely. This means they don’t have to be in your office to get the details they want.

THE APT PARASITE

APT Parasites, or advanced persistent threats, are the CSA’s seventh biggest threat. The difference between an APT and a virus is the fact that it’s so much more advanced. It’s bigger than a simple Trojan virus, some malware or malicious code. In fact, often times antivirus software does not detect an APT.

An APT is a set of stealthy and continuous computer hacking processes. These are often targeted towards private organizations, states, and even governments for business or political reasons. APTs move through the network undetected by blending in with normal traffic and reaping the information they need over a long period of time.

CHALLENGES

Adoption of cloud computing is associated with numerous challenges because users are still skeptical about its authenticity. Research is still in progress to identify and address the challenges of meeting the requirements of next generation private, public and hybrid cloud computing architectures, also the challenges of allowing applications and development platforms to take advantage of the benefits of cloud computing. Many existing issues have not been fully addressed, while new challenges keep emerging from industry applications. Some of the challenging issues in cloud computing are given below:

Service Level Agreements (SLA’s):   Cloud is administrated by SLA that allow several instances of one application to be replicated on multiple servers if need arises; depending on a priority scheme, the cloud may minimize or shut down a lower level application. A big challenge for the Cloud customers is to evaluate SLAs of CSP. Most vendors create SLAs to make a defensive shield against legal action, while offering minimal assurances to customers. So, there are some important issues, e.g., data protection, outages, and price structures,  that need to be taken into account by the customers before signing a contract with a CSP. Few basic questions related to SLA are uptime i.e. are they going to be up 99.9% of the time or 99.99% of the time? And also how does that difference impact your ability to conduct the business? Is there any SLA associated with backup, archive, or preservation of data. If the service account becomes inactive then do they keep user data? If yes then how long

Cloud Data Management:   Cloud data can be very large (e.g. text-based or scientific applications), unstructured or semi-structured, and typically append-only with rare updates Since service providers typically do not have access to the physical security system of data centers, they must rely on the infrastructure provider to achieve full data security. Even for a virtual private cloud, the CSP can only specify the security setting remotely, without knowing whether it is fully implemented. The infrastructure provider, in this context, must achieve the objectives like confidentiality, auditability. Confidentiality, for secure data access and transfer, and auditability, for attesting whether security setting of applications has been tampered or not. Confidentiality is usually achieved using cryptographic protocols, whereas auditability can be achieved using remote attestation techniques. However, in a virtualized environment like the clouds, VMs can dynamically migrate from one location to another; hence directly using remote attestation is not sufficient. In this case, it is critical to build trust mechanisms at every architectural layer of the cloud.

Data Encryption:   Encryption is a key technology for data security. Understand data in motion and data at rest encryption. Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access). You and the provider of your Cloud computing solution have many decisions and options to consider. For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard. Once the object arrives at the cloud, it is decrypted, and stored. Is there an option to encrypt it prior to storing? Do you want to worry about encryption before you upload the file for cloud computing or do you prefer that the cloud computing service automatically do it for you? These are options, understand your cloud computing solution and make your decisions based on desired levels of security.

Migration of virtual Machines:   Applications are not hardware specific; various programs may run on one machine using virtualization or many machines may run one program. Virtualization can provide significant benefits in cloud computing by enabling virtual machine migration to balance load across the data center. In addition, virtual machine migration enables robust and highly responsive provisioning in data centers. Virtual machine migration has evolved from process migration techniques. More recently, Xen and VMWare have implemented “live” migration of VMs that involves extremely short downtimes ranging from tens of milliseconds to a second.

Interoperability: This is the ability of two or more systems work together in order to exchange information and use that exchanged information. Many public cloud networks are configured as closed systems and are not designed to interact with each other. The lack of integration between these networks makes it difficult for organizations to combine their IT systems in the cloud and realize productivity gains and cost savings. To overcome this challenge, industry standards must be developed to help cloud service providers design interoperable platforms and enable data portability. Organizations need to automatically provision services, manage VM instances, and work with both cloud-based and enterprise-based applications using a single tool set that can function across existing programs and multiple cloud providers. Thus, there is a need to have cloud interoperability.

Access Controls: Authentication and identity management is more important than ever. And, it is not really all that different. What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name? How are passwords delivered to users upon a change? What about logs and the ability to audit access? This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.

Energy Resource Management:   Significant saving in the energy of a cloud data center without sacrificing SLA are an excellent economic incentive for data center operators and would also make a significant contribution to greater environmental sustainability. It has been estimated that the cost of powering and cooling accounts for 53% of the total operational expenditure of data centers. The goal is not only to cut down energy cost in data centers, but also to meet government regulations and environmental standards. Designing energy-efficient data centers has recently received considerable attention. This problem can be approached from several directions. For example, energy efficient hardware architecture that enables slowing down CPU speeds and turning off partial hardware components has become commonplace. Energy-aware job scheduling and server consolidation are two other ways to reduce power consumption by turning off unused machines. A key challenge in all the above methods is to achieve a good trade-off between energy savings and application performance.

Multi-tenancy: There are multiple types of cloud applications that users can access through the Internet, from small Internet-based widgets to large enterprise software applications that have increased security requirements based on the type of data being stored on the software vendor’s infrastructure. These application requests require multi-tenancy for many reasons, the most important is cost. Multiple customers accessing the same hardware, application servers, and databases may affect response times and performance for other customers. For application-layer multi-tenancy specifically, resources are shared at each infrastructure layer and have valid security and performance concerns.

Server consolidation: Increased resource utilization and reduction in power and cooling requirements achieved by server consolidation are now being expanded into the cloud. Server consolidation is an effective approach to maximize resource utilization while minimizing energy consumption in a cloud computing environment. Live VM migration technology is often used to consolidate VMs residing on multiple under-utilized servers onto a single server, so that the remaining servers can be set to an energy-saving state.

Reliability & Availability of Service: Challenge of reliability comes into the picture when a cloud provider delivers on-demand SaaS. The software needs to have a reliability quality factor so that users can access it under any network conditions (such as during slow network connections). There are a few cases identified due to the unreliability of on-demand software. One of the examples is Apple’s MobileMe cloud service, which stores and synchronizes data across multiple devices. It began with an embarrassing start when many users were not able to access mail and synchronize data correctly. To avoid such problems, providers are turning to technologies such as Google Gears, Adobe AIR, and Curl, which allow cloud based applications to run locally, some even allow them to run in the absence of a network connection. These tools give web applications access to the storage and processing capabilities of the desktop, forming a bridge between the cloud and the user’s own computer. Considering the use of software such as 3D gaming applications and video conferencing systems, reliability is still a challenge to achieve for an IT solution that is based on cloud computing .

Common Cloud Standards: Security based accreditation for Cloud Computing would cover three main areas which are technology, personnel and operations. Technical standards are likely to be driven by organizations, such as, Jericho Forum1 before being ratified by established bodies, e.g., ISO2 (International Standard Organization). For the operational elements, there are some workable solutions such as tweaking the ISO 27001 and using it as the default measurement standard within the framework of the SAS 704. Currently, one of the main problems is that there are many fragmented activities going in the direction of Cloud accreditation, but a common body for the coordination of those activities is missing. The creation of a unified accreditation body to certify the Cloud services would also be a big challenge .

Platform Management:  Challenges in delivering middle-ware capabilities for building, deploying, integrating and managing applications in a multi-tenant, elastic and scalable environments. One of the most important parts of cloud platforms provide various kind of platform for developers to write applications that run in the cloud, or use services provided from the cloud, or both. Different names are used for this kind of platform today, including on-demand platform and PaaS. This new way of supporting applications has great potential. When a development team creates an on-premises application (i.e., one that will run within an organization), much of what that application needs already exists. An operating system provides basic support for executing the application, interacting with storage, and more, while other computers in the environment offer services such as remote storage.

Tags: ,

Categorised in: ,

This post was written by Sushobhan Mukherjee

Leave a Reply

Your email address will not be published. Required fields are marked *